2

I have a malicious user targeting my site, sending a large amount of POST requests. I have automated systems to block abusing IP's however the problem is I am blocking them within my PHP code via a database. So every post request they make, makes a database call. This is creating a strain. I also do this check in the form of a cooldown.

Since I am using Cloudflare I can not just automatically add abusing IP's to iptables or something, and apache isn't getting the real ip's either.

What is the best way to handle this? I keep blocking IP ranges of VPN's he is using, however the IP being used switches as soon as they get blocked.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
ComputerLocus
  • 193
  • 4
  • 12
  • Call his mother? – Michael Hampton Jan 05 '15 at 03:12
  • @MichaelHampton I would if I could, however I only have an IP address on them and that is all. – ComputerLocus Jan 05 '15 at 03:16
  • Are these requests _automated_? Have you captured one with e.g. tcpdump? – Michael Hampton Jan 05 '15 at 03:19
  • @MichaelHampton how should I capture them? I do not know the originating IP address via my host, only the Cloudflare ip address. These requests are definitely made via a script, however this is a targeted attack. – ComputerLocus Jan 05 '15 at 03:24
  • Hmm. There's always [Bad Behavior](http://bad-behavior.ioerror.us/) then. (Disclaimer: I wrote it.) Without seeing a sample of the traffic, though, I make no guarantees. – Michael Hampton Jan 05 '15 at 03:28
  • @MichaelHampton well if you are interested [here is the access logs that contain post requests](http://pastebin.com/imWdDPJm) to the endpoint they are using. Note: The IP address you see there will be a CloudFlare one, not the bad users actual ip. Does this help? – ComputerLocus Jan 05 '15 at 03:33
  • No, as I mentioned on the web site, the Apache logs don't contain sufficient detail. I would need to see a packet capture, or at minimum a complete set of request headers. – Michael Hampton Jan 05 '15 at 03:36
  • @MichaelHampton Is there a method you know of where I could monitor the requests to the specific endpoint live and dump a specific request? I may not know the IP, however I do know what the malicious requests look like. – ComputerLocus Jan 05 '15 at 03:42
  • @MichaelHampton okay I got the real ip's working with the Cloudflare module. I will provide a tcpdump when they start an attack again. Let me know what you want from the tcpdump – ComputerLocus Jan 05 '15 at 03:55

1 Answers1

3

You can see the visitor's actual IP by installing mod_cloudflare.

https://support.cloudflare.com/hc/en-us/articles/200170836-How-do-I-restore-original-visitor-IP-to-Apache-Web-Servers-

How do I restore original visitor IP to Apache Web Servers?

To restore the original visitor IP addresses to log files and web applications running on Apache httpd web servers, you will need to install mod_cloudflare. To install mod_cloudflare, follow the installation steps described on our Downloads page.

After that you may block the malicious IPs on the Apache level via htaccess before any request reaches any PHP script.

Update:

The Cloudflare downloads page provides ready made packages for common linux distributions. If your distribution is not supported you may compile the module for your apache as described here: https://www.cloudflare.com/resources-downloads#mod_cloudflare

Option 4: Manual Installation: Debian / Ubuntu

mod_cloudflare has a few software dependencies that need to be installed first:

apt-get install libtool apache2-dev

Note: If you find that you are unable to install apache2-dev then you should install:

apt-get install libtool apache2-threaded-dev

Next, you should download the mod_cloudflare source to your server:

wget https://www.cloudflare.com/static/misc/mod_cloudflare/mod_cloudflare.c

Finally, install the module. Depending on your system, the command to run might be apxs or apxs2. So, run one of the below two commands. If you get a "Command not found" when running one, try the other:

apxs -a -i -c mod_cloudflare.c

apxs2 -a -i -c mod_cloudflare.c

Cha0s
  • 2,462
  • 2
  • 16
  • 26
  • Their mod_cloudflare solution works on Ubuntu 12.04 not Ubuntu 14.04 like I am using. It does not support apache2.4, it supports 2.2. I am using 2.4. – ComputerLocus Jan 05 '15 at 03:40
  • 1
    If there isn't a package for your distro you can download the source and compile it for your apache as described here: https://www.cloudflare.com/resources-downloads#mod_cloudflare – Cha0s Jan 05 '15 at 03:44
  • Also Apache 2.4 is supported according to cloudflare. – Cha0s Jan 05 '15 at 03:53
  • Okay I have completed the manual install like instructed and it looks like the IP's are now resolving correctly to the real IP's. – ComputerLocus Jan 05 '15 at 03:53
  • 2
    It's not necessary to use mod_cloudflare with Apache 2.4, since it already includes this functionality in mod_remoteip. – Michael Hampton Jan 05 '15 at 03:53